The post you link to does indeed state that folded headers are handled correctly, but this recipe is examining the body, not a header.
It is a misfeature of Procmail that it doesn't recognize MIME structures correctly; this would be an important addition to a modern mail filter; but alas, Procmail development ceased already in the early 2000s (and already once before then, when the original developer let go).
As a crude workaround, you could temporarily split a MIME multipart message on the MIME boundary, and feed each part to a separate Procmail recipe, but this quickly becomes brittle and complex (in theory, MIME messages could be nested arbitrarily deeply, though for most practical purposes, you only need to recurse one or two levels down -- anything beyond that is probably a bounce or something like that, not directly a feature of the message you are examining).
Because your regex has only a few possible (realistic!) split points, you can refactor it to account for possible line breaks:
:0 * ^Content-type: multipart/ { :0B * ^Content-Type: application/(zip|x-zip-compressed)|\ ^Content-Type:.*(($)[ ].*)*name=.*\.(zip|exe|rar|rtf|docm)|\ ^Content-.*attachment.*(($)[ ].*)*name=.*\.(zip|exe|rar|rtf|docm)|\ ^Content-.*application.octet-stream.*(($)[ ].*)*name=.*\.(zip|exe|rar|rtf|docm) $L/.3_my._quarantine/ }
You'll notice the (($)[ ].*)*
addition in a few places. This accounts for a possible newline (($)
) followed by a whitespace character (tab or space, [ ]
) followed by anything, repeated zero or more times.
(As an aside, this would perhaps be slightly easier to debug with scoring:
:0 B * 1^1 ^Content-Type: application/(zip|x-zip-compressed) * 1^1 ^Content-Type:.*(($)[ ].*)*name=.*\.(zip|exe|rar|rtf|docm) * 1^1 ^Content-.*attachment.*(($)[ ].*)*name=.*\.(zip|exe|rar|rtf|docm) * 1^1 ^Content-.*application.octet-stream.*(($)[ ].*)*name=.*\.(zip|exe|rar|rtf|docm) ...
With this, you can see in the VERBOSE=yes
log the result of each individual regex in this complex multi-regex recipe.)
If you need a completely watertight recipe, perhaps write a simple script in Python or Perl (or Ruby or ... what have you) to normalize the MIME structure. I remember there was a tool called emil
a long time ago which did something like this, but it was never very well-established, let alone well-documented. (In fact, IIRC it was designed specifically to plug into pre-MIME sendmail
, and was near-impossible to use for anything else.)